454add1bfdc98b944ed97984f1771ec09c9a4c869e3fb6936573d0db8a83ac30

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-08-2022 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ZyLuMsm.ps1
Size

3KB
MD5

236285a8cc63669302f69d8087edb66e
SHA1

8581592c092100505a15f701697584809cf33ccf
SHA256

454add1bfdc98b944ed97984f1771ec09c9a4c869e3fb6936573d0db8a83ac30
SHA512

c36bb0f60610531b4d6704baeb193fce0ad97f4915e02a2a17daa54a12ffd4777c5ac2240fe00ede18b82da92afa263ae364e0dfbae9abbb0152ed33cfc7e088

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 1912 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1912 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1912 powershell.exe

flow	pid	process
1	1912	powershell.exe

pid	process
1912	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1912	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1912 wrote to memory of 1224	1912	powershell.exe	csc.exe
PID 1912 wrote to memory of 1224	1912	powershell.exe	csc.exe
PID 1912 wrote to memory of 1224	1912	powershell.exe	csc.exe
PID 1224 wrote to memory of 860	1224	csc.exe	cvtres.exe
PID 1224 wrote to memory of 860	1224	csc.exe	cvtres.exe
PID 1224 wrote to memory of 860	1224	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0ZyLuMsm.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5kkgvdpx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES263.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC252.tmp"
3⤵
PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5kkgvdpx.dll
Filesize
3KB

MD5
f2c5b1c0c530a12b827673cd6dcef054

SHA1
f3cf5b781a8590ed2503f28bdee9eeae9bd5ced6

SHA256
8bfb332a593d7365e3d853033cbde42c39bb4ed7da8633fbd4d73c2b6c485075

SHA512
2a6c53f2a0ddf649de8b2d8f4cfc6340a9eb48851c2f3522feeb497911e2f3583c24dbae1957b7d89025afd8be680fb7e176ca950be1f65993d84a7e82f8ad83

Download Submit
C:\Users\Admin\AppData\Local\Temp\5kkgvdpx.pdb
Filesize
7KB

MD5
331ea8459dd39c07badeb06aef3e75f6

SHA1
7f28aa0e9b8eec2f45553bc128854cbfa0911219

SHA256
c7612c608fb246534b783a262cd71305614e1440fb1e0d2283e3f6f3a9dde9aa

SHA512
9fd282cd3710cf8dbbf5f7f6bd6eabd4f92047b308ead0e1b847bf73f33fe376121b9d6060235dbdd32ef83eed3fc9c60ef042184399179dd42f44c870c280d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES263.tmp
Filesize
1KB

MD5
c0bbd9e56c4636131db22666805d4e31

SHA1
9be1be6af2fb24fdbf872b344e7a57bbf75f1071

SHA256
15240090f80cdb583f024bd7c7863ce06c04f3539bd45c72b19070fd0da7d087

SHA512
15ee027527bd76c6ebfb74d003745b82ac8d861455bac9cb63674a6af32827f998624930670b4552a6ab942bc288d9d7b98b4435d3b44d01c8f5aa47f3a34533

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5kkgvdpx.0.cs
Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5kkgvdpx.cmdline
Filesize
309B

MD5
10156d1289fd06bfd072c7d3141949f7

SHA1
1ec5c30b8c990e6461b409455cef8ebe33ec178d

SHA256
e8293a44d82a73c735ce3c253480e2751cf41da86ea0edfee389bf6d5ae2490e

SHA512
bec35bfdcea6e0b66640fcc50d61a95f48fa49feda6c8b0011afc72b2882f5867fcca4aac3fd59a420b70b92f94475321a97beb75cd46e96bff9959f5fe8c73b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC252.tmp
Filesize
652B

MD5
31505d2f5ac900936456681c845ca5fa

SHA1
1af9e97ee9200ebf226a7d4999da54b36d746e3b

SHA256
5fdbf8b4a0b2b090ee9b3a734f9de266da786ce8f43a281e96db8672258fb2ae

SHA512
1c1dd295912f3786d6b3045e1039faa268631a2ef6bfeced751c3a740c082f781dc04336ba2274c2276f5c16ab9800b68fdde2204c22798aba408e2608227241

Download Submit
memory/860-61-0x0000000000000000-mapping.dmp

Download
memory/1224-58-0x0000000000000000-mapping.dmp

Download
memory/1912-54-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1912-57-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1912-56-0x000007FEF3330000-0x000007FEF3E8D000-memory.dmp

Filesize
11.4MB

Download
memory/1912-55-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp

Filesize
10.1MB

Download
memory/1912-67-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1912-66-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download